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PROTOCOL SPECIFICATION 1 


CONTAINS AGENT SPECIFIC CONTROL DATA LIKE VERSION INFORMATION, THE COMMAND TO 
EXECUTE AND COMPUTER INFORMATION SENDING THE CUSTOM ACTIONS INFORMATION 


THE COMMAND FIELD COULD BE USED TO EASILY DETERMINE IF DATA IS GOING TO BE RETRIEVED 
(REQUESTCUSTOMACTION) OR RETURNED AFTER THE ACTION HAS BEEN EXECUTED 
(RESPONDTOCUSTOMACTION) - OPTIONAL 


COMPUTER INFORMATION OF THE SENDER. IF THE AGENT IS ABLE TO PROCESS REQUESTS IN 
PARALLEL AND ASYNCHRONOSLY, THIS INFORMATION IS USEFUL. THE SIMPLEST FORM OF THIS FIELD 
CONTAINS THE COMPUTER NAME 


ANY NUMBER OF CUSTOM ACTION COM SERVERS OR DLLS OR EXECUTEABLES REQUIRED FOR 1 Hb 
TASKS ARE LISTED WITHIN THE CUSTOMACTIONS 


THE ID SPECIFIES A CLSID IF THE CUSTOM ACTION METHOD IS CONTAINED IN A COM SERVER OR THE 
PATH TO A DLL/EXE FILE IF A LIBRARY OR AN EXECUTEABLE IMPLEMENTS THE METHOD TO EXECUTE. 
IF A CLSID IS SPECIFIED, THE FOLLOWING <INTERFACE> COMPLEX TYPE IS REQUIRED TO SPECIFY 
THE INTERFACE OF THE COM SERVER CONTAINING THE METHOD TO EXECUTE. OTHERWISE 
<INTERFACE> IS NOT REQUIRED AND ANY NUMBER OF <METHOD> TYPES FOLLOW IMMEDIATELY 


ONLY REQUIRED IF THE <METHOD> IS IMPLEMENTED IN A COM SERVER 1 


THE INTERFACE IDENTIFIER OF THE COM SERVER (IID) 1 


ANY NUMBER OF METHODS IMPLEMENTED IN THE CUSTOM ACTION DEVICE 1 


THE METHOD NAME. IN CASE OF A COM SERVER, THIS IS THE METHOD NAME OF THE COM 
INTERFACE, ELSE THIS DENOTES THE NAME OF AN EXPORTED FUNCTION OR E.G. A COMMAND LINE 
PARAMETER OF AN EXECUTABLE 


ANY NUMBER OF PARAMETERS REQUIRED FOR THE METHOD. THIS INCLUDES REQUESTED OUT 
PARAMETERS, WHICH ARE LISTED, BUT DON'T CONTAIN DATA AND INOUT PARAMETERS WHICH HAVE 
A DIFFERENT VALUE ON RESPONSE THAN ON REQUEST 


THE NAME OF THE PARAMETER 1 


CAN BE ANY STANDARD XML DATATYPE 1 


POSSIBLE VALUES ARE 'IN' AND 'INOUT'. SPECIFIES IF THE PARAMETER IS REQUESTED, PASSED TO 
THE FUNCTION OR PASSED TO THE FUNCTION FOR MODIFICATION 


ANY OTHER NON STANDARD XML DATATYPE CAN FOLLOW 
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:?xml version="1.0" ?> 

:AgentProtocol xmlns="http://www.nai.com" 
xmlns:xsi="http://www. w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.nai.com CustoniActionsProtocoi.xsd"> 
<ControlData> 

<Version>0x01000001</Version> 

<MinVersion>0x01000001</MinVersion> 

<Conimand>RequestCustomAction</Command> 

<Server>nedlwnts2ke</Server> 
</ControlData> 
<CustomActions 

id="<AGENT_INSTALLED_DIR>\\CustomActionsLlbrary\\CustActl.dir 

- <Method id="GetRegStringValue"> 

<Parameter id="Key" type="xs:string" 

inout="in"><AGENT_INSTALLED_REGKEY></Parameter> 
<Parameter id="VaIuename" type="xs:string" 

inout="ln">AgentVGrslon</Parameter> 
<Parameter id="Result'' type="xs:string" inout="out" /> 
</Method> 
</CustomActions> 

<CustomActions id="-C06E0062A-5069-4793-ACED-F80BElBBC4AF>"> 

- <Interface id="-CC9ElCC03-8007-412A-8F5D-532C57DF4482}"> 

- <Method id="ExecuteSnentlnstallation"> 

<Parameter id="ProductName" type="xs:string" 

inout="ln">TestInstallProduct</Parameter> 
<Parameter id=''ProductVersion" type="xs:decimar 

inout="in">Ox01000001</Parameter> 
<Parameter id="Location" type="xs:strlng" 

inout="in">c:\InstaHImages</Parameter> 
<Parameter id="ResuIt" type="xs:string" inout="out" /> 
</Method> 
</Interface> 

- <Interface id="{C9ElCC03-8007-412A-8F5D-532C57DF4482}"> 

- <Method id="GetSystemDirectory"> 

<Parameter id="Directory" type="xs:string" Inout="out" /> 
<Parameter id="Result" type="xs:decimar inout="out" /> 
</Method> 
</Interface> 
</CustomActions> 

<CustomActions id="-C06E0062B-5069-4793-ACED-F80BElBBC4AF>"> 

- <Interface id="<A000CC03-80O7-412A-8F5D-532C57DF4482>"> 

- <Method id="TriggerEvent"> 

<Parameter id="EventID" type="xs:decimar 
inout="in">10QO</Parameter> 

<Parameter id="EventDescription'' type="xs:decimar 
inout="in">The event o/oEventlDVo has been triggered by % 
USERNAME% on Computer %COMPUTERNAME<»/o. The % 
FILENAMEo/o file is infected with "/oVIRUSNAMEo/o. This has 
been detected by engineverslon %ENGINEVERSION°/o 
datversion %DATVERSION»/o.</Parameter> 

<Parameter id="COI^PUTERNAME" type="xs:strlng" 
inout="in">sourcecomputer</Parameter> 

<Parameter id="USERNAME" type="xs:string" 
inout="in">sourceuser</Parameter> 

<Parameter id="FILENAME" type="xs:string" 
inout=''in">kerneI32.dli</Parameter> 

<Parameter id="VIRUSNAME" type="xs:string" 
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inout="in">Nimbda</Parameter> 
<Parameter id=''ENGINEVERSION" type="xs:decimal" 

inout= "in" > Ox04005001</Parameter> 
<Parameter id="DATVERSION" type="xs:decimar 

inout= ■in">0x07003009</Parameter> 
<Parameter id="Result" type="xs:strlng" mout="out"/> 
</Method> 
</Interface> 
</CustomActions> 
</AgentProtocol> 

CUSTOM ACTIONS PROTOCOL REG XML 



FIG. 10B 
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<?xml version="1.0" ?> 
- <AgentProtocoI xnnlns="http://www.nai.com" 

xm!ns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsl:schemaLocation="http://www.nai.com CustomActionsProtocol.xsd"> 

- <ControlData> 

<Version>0x01000001</Version> 
<MinVersion>0x01000001</MinVersion> 
<Command>RspondToCustomAction</Command> 
<Server>nedlwnts2ke</Server> 
</ControlData> 

- <CustomActions 

id="<AGENT_INSTALLED_DIR>\\CustomActionsLibrary\\CustActl.dir> 

- <Method id="GetRegStringValue"> 

<Parameter id="ResuIt" type="xs:string" 
inout="out">5.0.1.10</Parameter> 

</Method> 
</CustomActions> 

- < Custom Actions id="-C06E0062A-5069-4793-ACED-F80BElBBC4AF> "> 

- <Interface id="{C9ElCC03-8007-412A-8F5D-532C57DF4482> "> 

- <Method id="ExecuteSiientInstallation''> 

<Parameter id="Result" type="xs:string" lnout="out"> Error: Invalid 
Image path specified. </Parameter> 
</Method> 
</Interface> 

- <Interface id= "■CC9ElCC03-8007-412A-8F5D-532C57DF4482>"> 

- <Method id="GetSystemDIrectory"> 

<Parameter id="Directory" type="xs:string" 

inout="out">C:\Winnt\System32</Parameter> 
<Parameter ld="Resuit" type="xs:decimal" 
inout="out">0</Parameter> 
</Method> 
</Interface> 
</CustomActions> 

- <CustomActions id="{06E0062B-5069-4793-ACED-F80BElBBC4AF>"> 

- <Interface id="<:A000CC03-8OO7-412A-8F5D-532C57DF4482>''> 

- <Method id="TriggerEvent"> 

<Parameter ld="Result" type="xs:string" inout="out">Event sent to 
testco m puter2 </Parameter> 
</Method> 
</Interface> 
</CustomActions> 
</AgentProtocol> 
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<?xml version="1.0" ?> 

<AgentProtocoi xmlns="http://www.nal.com" 
xmlns:xsi= "http://www.w3.6rg/2001/XMLSchema-instance" 
xsi:schemaLocation="htlp://www.nai.com CustomActionsProtocoLxsti 
http://www.naf.com AgentConfiguration.xsd"> 

- <ControlData> 

<Verslon>0x01000001</Version> 
<MinVersion>0x01000001</MinVersion> 
< Command > RequestCustomAction </Com mand > 
<Server>nedlwnts2ke</Server> 
</ControlData> 

- <CustomActions id= "RegistryMapplng.dll"> 

- <Method id="WriteConfig"> 

- <RegistryConfiguration 

id = " H KEY_LOCAL_M AC HINE \SOFTWARE\McAf ee"> 

- <Product id="Alert Manager"> 

<Version>Ox04070000</Version> 
<DisplayName>Alert Manager 4.7</DisplayName> 

- <Language id = "04D7"> 

<Version>0x01000002</Version> 

- <Event id="l"> 

<LONGDESCRIPT>Das ist eine Test-Nachricht von Alert 

Manager. </LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity > 5 </Severity > 
<Ena bled > 1 </Enabled> 
</Event> 
</Language> 

- <Language id="0409''> 

<Version>0x01000002</Version> 

- <Event id="l"> 

<LONGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRIPT>TestIng</SHORTDESCRIPT> 
<Severity > 0 </Severity > 
<Enabled>l</Enabled> 
</Event> 

- < Event id="2'*> 

<LONGDESCRIPT>Text of event 2.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity> 1</Severity> 
</Event> 
</Language> 
</Product> 
</RegistryConfiguration> 
</Method> 

- <Method id=''ReadConfig"> 

< Reg istryConfiguration 
id="HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\*"/> 
</Method> 
</CustomActions> 

- <CustomActions id="INIFileMappmg.dll"> 

- < Method id="WriteConfig"> 

- <FileConfiguration id="C:\Program Files\Alert 

Manager\AMGConfig.ini"> 

- <Extensions> 

AGENT CONFIG CUSTOM ACTION XML 
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<amg>AMGConfig</amg> 
<asf>MPEGVideo</asf> 
<wmp>MPEGVideo2</wmp> 
</Extensions> 
</FlleConfiguration> 
</Method> 

- <Method id="ReadConfig"> 

<FiIeConfiguration Id = "C:\Prog ram Files\Alert 
ManagerXAMGConfig.lnl" /> 
</Method> 
</CustomActions> 

<CustomActions id=" MAPIMapping.dll" > 

- <Method id="WriteConfIg"> 

- <DAPIConfiguration id="/0=org/OU=TestSite/CN=TestContalner"> 
<BinaryProperty>0123456789ABCDEF00000</BlnaryProperty> 
</DAPIConfiguration> 
</Method> 

- <Method id="ReadConfig"> 

<DAPIConfiguration id="/0=org/OU=TestSite/CN=TestContainer" /> 
</Method> 
</CustomActions> 
/AgentProtocol> 
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<?xml version="1.0" ?> 
- <AMGEvents xmIns="http://www.naLcoin" 

xmlns:xsi= "http://www.w3. org/ 2001/XMLSchema-instance" 
xsi : schema Location= " http: // www.nai.com AMGEvents.xsd"> 
- <Product id="Alert Manager"> 

<Version>0x04070000</Version> 
<DisplayName>Alert Manager 4.7</DispfayName> 

- <Language fd="0407"> 

<Versjon>Ox01000002</Version> 

- <Event id=''l"> 

<LONGDESCRIPT>Das ist eine Test-Nachrkht von Alert 

Manager. </LONGDESCRIPT> 
<SHORTDESCRIPT>Testlng</SHORTDESCRIPT> 
<Severity>5</Severity> 
<Enabled>l</Enab!ed> 
</ Event > 
</Language> 

- <Language id="0409"> 

<Versfon>0x01000002</Version> 

- <Event id="l"> 

<LONGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>0</Severity> 
<Enabled>l</Enab!ed> 
</Event> 

- <Event id="2''> 

<LONGDESCRIPT>Text of event 2.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity> 1</Severity > 
</Event> 

- < Event id = "3"> 

<LONGDESCRIPT>Text of event 3.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severifr/> 1</Severity > 
</Event> 

- <Event id="4"> 

<LONGDESCRIPT>Text of event 4.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
< Se ve rity > 1 </Seve rity > 
</Event> 
</Language> 
</Product> 
</AMGEvents> 

XML DATA 
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<?xml version="1.0" encoding="UTF-8" ?> 

<!-- edited with XI-fL Spy v4.0.1 U (http: / Av'ww. xniispy. com) by Napalm 
(NapaiiTw --> 
- <xs:schema targetNamespace="http://www.nai.com" 
xmins= "http://www.nai.com" 

xmins:xs="http://www.w3.org/2001/XMLScheina" 

eiementFbrmDefault="quaiified"> 

<xs:element name="DisplayNaine" type="xs:string" /> 

<xs:element name="Enabieci" type^'xszboolean" /> 

- <xs:complexType name="EventType"> 

- <xs:a!l> 

<xs:element ref="LONGDESCRIPT'' /> 
<xs:element ref="SHORTDESCRIPT" /> 
<xs: element ref= "Severity" /> 
<xs:element ref= "Enabled" mjnOccurs="0" /> 
</xs:all> 

<xs:attribute name="id" type="xs:string" use="required" /> 
</xs : com plexTy pe> 

- <xs:complexType name="LanguagelYpe"> 

- <xs:sequence> 

<xs:eiement ref="Version" /> 
<xs:e!ement name="Event" type=''EventType" 
maxOccurs="unbounded" /> 
</xs : sequence> 

<xs:attribute name="id" type="xs:string" use="required" /> 
</xs : com plexTy pe> 

- <xs:element name="Product"> 

- <xs:complexType> 

- <xs:sequence> 

<xs:e!ement ref= "Version" /> 
<xs:element ref="DisplayName" /> 
<xs: element name="Language" type="LanguageType" 
maxOccurs="unbounded" /> 
</xs:sequence> 

<xs:attribute name="id" type="xs:string" use = "required" /> 
</xs : comp lexTy pe > 
</xs:element> 

- <xs:element name="AMGEvents"> 

- <xs:complexType> 

- <xs:sequence> 

<xs:element ref="Product" maxOccuFS="unbounded" /> 
</xs:sequence> 
</xs:complexType> 
</xs:element> 

<xs:element name="LONGDESCRIPT" type="xs:string" /> 
<xs:element name="SHORTDESCRIPT'' type="xs:string" /> 
<xs:element name="Severity" type="xs:string" /> 
<xs:element name="Verslon" type="xs:string" /> 
</xs: schema > 

XSD DATA 



FIG. 22 



Inventor: NEDBALetal 

SN 10/091 ,41 5/Sheet 23 of 25 

Atty. Dkt.: 550-321 



23/25 



/ REGISTRY / 
/ DATA f 



MAPPING 
FUNCTION 



/DOM / 
DATA I 



CONVERSION 
(SERIALIZATION) 
INTO XML 



/ XML / 

I XSD / 
/ DATA 1 



VALIDATION 

OF XML DATA 
USING XML 
PARSER 



-14 



(VALIDATION A . 
RESULT J ^^ 



FIG. 23 



APPLICATION 



y/ REGISTRY ^ -^2 



L 



20 



MAPPING 
M ^ 24 



SERIALIZATION 



- V XSD / / XML / •-26 



VALIDATION 







-28 



(VALIDATION^ . 
RESULT 

FIG. 24 



Inventor: NEDBAL et al 
SN 1 0/091 ,415/Sheet 24 of 25 
Atty. Dkt.: 550-321 



24/25 



I.* 

O 

a 
in 




FIG. 25 



[YES - MAPPING 
i (DOM I NTO REGISTRY) 
y REGISTRY^^ ^40 



in 
o 

fiJ 



APPLICATION 



^ REGISTRY / 



MAPPING 



SERIALIZATION 



/ XSD / / XML / 



FIG. 26 



< APPLICATION 



7 



DOM FUNCTION CALLS 
DESERIALIZATION 



XML 



7 




XML ^ ^46 
jPESERI ALIZATION 
/ DOM 



L 



I MAPPIN G 
REGISTRY ^^50 



Inventor: NEDBALetal 

SN 10/091 ,41 5/Sheet 25 of 25 

Atty. Dkt.: 550-321 



25/25 



APPLICATION 



DVIDE! 



j y REGISTRY ^ 



L 



MAPPING 
1_ 



SERIALIZATION 



/ XSD / / XML / 



'^APPLICATION 



7 



DOM FUNCTION CALLS 
DESERIALIZATION 



XML 



7 




FIG. 27 



TRANSFER 






XML DATA 




APPLICATION 



1 



/ XML / / XSD / 




/ DOM / 

^MAPPIN G 
y REGISTRY / 



YES - XML 
DESE RIALIZATION 



202 



210 



204 



206 



/ 



DISPLAY 
DRIVER 



21 2 I 



USER 
i/O 



-216 



222 



218 



FIG. 28 



